There is a great deal of misinformation about browser cookies, in regards to what their capabilities are and what they are used for.

I find it easiest to compare a cookie to a temporary visa issued by a country with strict internal transit rules for visitors, such as Burma or North Korea. On entering such a country, your visa is stamped with the time and port of entry. The Burmese junta will know which flight you arrived on (and thus where you came from) but will not be aware of any trips made before your flight. Once you have landed, your movement though the country is likely to be tracked, with new entries stamped in your visa when you enter certain provinces or militarily sensitive areas. When you leave, the visa will be given a last stamp that includes the date that you exited the country, and the Burmese will know of your immediate destination, but not of your movement after the aircraft touches down on foreign soil. No other country can read the visa, as it is written in Burmese.

Similarly, cookies are issued per domain. They can contain any information that you, the visitor, provide, and may record actions you take on the site: what pages you visit, how long you stayed, what you clicked on, etc. They can also record where you came from and where you left to (but not actions taken before or after that point). Any information that you enter into a form can be stored inside a cookie (but any information that is personally identifiable should not, as cookies are not secure). Browser and operating system information (browser version, resolution, etc) could also be included. This information is stored on the client, either temporarily (while the browser is running) or permanently, and the data held inside cookies can be checked when the user returns.

There are a few other restrictions on cookies:

  • A limit of 20 cookies can be sent from any domain to the client
  • Cookies can be blocked, modified, copied, or deleted by the client.
  • Cookies should never be used as an absolute means of authentication.
  • Cookies can contain strings or numbers, to a maximum of 4096 bytes.
  • Cookies cannot be read by other domains.
  • Cookies cannot be created in HTML; they must be created, read and modified with a server-side language or JavaScript.

Finally, cookies are threatened long-term by the advent of HTML5's localStorage() feature, which adds database-like structure to client storage of data (as well as being considerably easier to write in JavaScript: writing cookies in pure JavaScript is a pain). This transition will take several years, but it will occur. Cookies will, however, continue to be useful, so they are what we will concentrate on here. (I will cover localStorage() in a later article.)

Enjoy this piece? I invite you to follow me at twitter.com/dudleystorey to learn more.